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Abstract 


This document specifies identifiers and challenges required to enable the Automated Certificate 
Management Environment (ACME) to issue certificates for IP addresses. 


Status of This Memo 


This is an Internet Standards Track document. 


This document is a product of the Internet Engineering Task Force (IETF). It represents the 
consensus of the IETF community. It has received public review and has been approved for 
publication by the Internet Engineering Steering Group (IESG). Further information on Internet 
Standards is available in Section 2 of RFC 7841. 


Information about the current status of this document, any errata, and how to provide feedback 
on it may be obtained at https://www.rfc-editor.org/info/rfc8738. 
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1. Introduction 


The Automatic Certificate Management Environment (ACME) [RFC8555] only defines challenges 
for validating control of DNS host name identifiers, which limits its use to being used for issuing 
certificates for DNS identifiers. In order to allow validation of IPv4 and IPvé6 identifiers for 
inclusion in X.509 certificates, this document specifies how challenges defined in the original 
ACME specification and the TLS-ALPN extension specification [RFC8737] can be used to validate 
IP identifiers. 


2. Terminology 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD 
NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to 
be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in 
all capitals, as shown here. 
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3. IP Identifier 


[RFC8555] only defines the identifier type "dns", which is used to refer to fully qualified domain 
names. If an ACME server wishes to request proof that a user controls an IPv4 or IPv6 address, it 
MUST create an authorization with the identifier type "ip". The value field of the identifier MUST 
contain the textual form of the address as defined in Section 2.1 of [RFC1123] for IPv4 and in 
Section 4 of [RFC5952] for IPv6. 


An identifier for the IPv6 address 2001:db8::1 would be formatted like so: 


{types Vapi Uvaluet:) 12001: db Siti: 


4. Identifier Validation Challenges 


IP identifiers MAY be used with the existing "http-01" (see Section 8.3 of [RFC8555]) and "tls- 
alpn-01" (see Section 3 of [RFC8737]). To use IP identifiers with these challenges, their initial DNS 
resolution step MUST be skipped, and the IP address used for validation MUST be the value of the 
identifier. 


5. HTTP Challenge 


For the "http-01" challenge, the Host header field MUST be set to the IP address being used for 
validation per [RFC7230]. The textual form of this address MUST be as defined in Section 2.1 of 
[RFC1123] for IPv4 and in Section 4 of [RFC5952] for IPv6. 


6. TLS with Application-Layer Protocol Negotiation (TLS 
ALPN) Challenge 


For the "tls-alpn-01" challenge, the subjectAltName extension in the validation certificate MUST 
contain a single iPAddress that matches the address being validated. As [RFC6066] does not 
permit IP addresses to be used in the Server Name Indication (SNI) extension HostName field, the 
server MUST instead use the IN-ADDR.ARPA [RFC1034] or IP6.ARPA [RFC3596] reverse mapping 
of the IP address as the HostName field value instead of the IP address string representation 
itself. For example, if the IP address being validated is 2001:db8::1, the SNI HostName field 
should contain "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa". 


7. DNS Challenge 


The existing "dns-01" challenge MUST NOT be used to validate IP identifiers. 
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8. IANA Considerations 


8.1. Identifier Types 


Per this document, a new type has been added to the "ACME Identifier Types" registry defined in 
Section 9.7.7 of [RFC8555] with Label "ip" and Reference "RFC 8738". 


8.2. Challenge Types 


Per this document, two new entries have been added to the "ACME Validation Methods" registry 
defined in Section 9.7.8 of [RFC8555]. These entries are defined below: 


Label Identifier Type ACME Reference 

http-01 ip Y RFC 8738 

tls-alpn-01 ip Y RFC 8738 
Table 1 


9. Security Considerations 


The extensions to ACME described in this document do not deviate from the broader threat 
model described in Section 10.1 of [RFC8555]. 


9.1. Certification Authority (CA) Policy Considerations 


This document only specifies how an ACME server may validate that a certificate applicant 
controls an IP identifier at the time of validation. The CA may wish to perform additional checks 
not specified in this document. For example, if the CA believes an IP identifier belongs to an ISP 
or cloud service provider with short delegation periods, they may wish to impose additional 
restrictions on certificates requested for that identifier. 
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